Thursday, April 4, 2013

How to Setup Chroot SFTP in Linux (Allow Only SFTP, not SSH)

This tutorial describes how to give users chrooted SSH and/or chrooted SFTP access on linux environment.
Using this setup, the users cannot see your whole system. Your users will be jailed in a specific directory which they will not be able to break out off.

If you want to setup an account on your system that will be used only to transfer files (and not to ssh to the system), you should setup SFTP Chroot Jail.

In a typical sftp scenario when chroot sftp is not setup, if you use sftp, you can see whole file system based on the permissions assigned to you.

If you want to give sftp access on your system to outside vendors to transfer files, you should not use standard sftp. Instead, you should setup Chroot SFTP Jail as explained below.

Non-Chroot SFTP Environment
In the following example (a typical sftp environment), user1 can sftp to the system, and view /etc folder and download the files from there:

So I believe you all understood what is Chroot SFTP environment is, let us see how to configure this.Creating a New Group
Create a group called sftpusers. Only users who belong to this group will be automatically restricted to the SFTP chroot environment on this system.

# groupadd sftpusers

Create a new User or Modify an Existing User

Let us say you want to create an user user1 who should be allowed only to perform SFTP in a chroot environment, and should not be allowed to perform SSH.

Verify that the user got created properly or not# grep user1 /etc/passwduser1:x:520:520::/incoming:/sbin/nologin
If you want to modify an existing user user2 and make him an sftp user only and put him in the chroot sftp jail, do the following:

So, /sftp/user1 is equivalent to / for the user1. When user1 sftp to the system, and performs “cd /”, they’ll be seeing only the content of the directories under “/sftp/user1” (and not the real / of the system). This is how the chroot works

So, under this directory /sftp/user1, create any sub directory that you like user to see. For example, create a incoming directory where users can sftp their files.

# mkdir /sftp/user1/incomingSetup Appropriate Permissions
For chroot to work properly, you need to make sure appropriate permissions are setup properly on the directory you just created above.

Set the ownership to the user, and group to the sftpusers group as shown below.# chown user1:sftpusers /sftp/user1/incoming
Now check the permissions of the directories as shown below: